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THE COMPUTER FRAUD AND ABUSE ACT OF 

1986— S. 2281 



WEDNESDAY, APRIL 16, 1986 

U.S. Senate, 

C!OMMITTEE ON THE JUDICIARY, 

Washington, DC, 

The comiaittefi met, pursuant to notice, at 9:48 a.m., in room SD- 
628, Dirksen Senate Office Building, Hon. Paul Laxalt presiding. 
Also present: Senator Simon. 

Staff present: William S. Miller, Jr., mcgority counsel; and Terry 
Wooten, majority counsel. 

OPENING STATEMENT OF SENATOR PAUL SIMON 

Senator Simon. The hearing will come to order. 

I am temporarily pinch-hitting until the /conunittee chair is here. 
I am interested in the subject. I do not cladm to have any expertise. 
I am here to learn, and hope our witnesses will provide that oppor- 
tu/nity. ■ 

The first witness is Senator Paul Trible, the chief sponsor of the 
lepslation, and we are very pleased to have our colleague here on 
what IS a very important question. 

STATEMENT OF HON. PAUL S. TRIBLE, A U.S. SENATOR FROM 
THE STATE OF VIRGINIA 

Senator Trible. Senator Simon, I thank you for your warm wel- 
come and I would ask at this time that my full statement be made 
a part of the record. 

Senator Simon. It will be. 

Senator Trible. I will summarize that statement at this time, 
with your permission. 

Senator Simon. You have my full permission to do that. 

Senator Trible. Mr. Chairman, I appreciate the opportunity to 
testify today on S. 2281, a bill that I have sponsored, along with 
Senator Laxait and others, to combat the growing problem of com- 
puter crime. 

I would say to my friend from Illinois that among the many co- 
sponsors is Senator Dixon, your colleague from Illinois. So I hope 
that you, too, will take a look at this measure and perhaps cospor- 
sor this effort. 

For the past two decades, the United Stetes has experienced a 
technological revolution. Widespread computer use has brought a 
great many benefits to American business and to all of our lives. 

(1) 



But it has also created a new type of criminal, one that uses com- 
puters to steal, to defraud, and to abuse the property of others. 

A recent survey by the American Bar Association found that 
almost one-half of those companies and government agencies that 
responded had been victimized by some form of computer crime. 
The known financial loss from these crimes was estimated as high 
as $730 million, and the report concluded that computer crime is 
among the worst white-collar offenses. 

In addition, pirate bulletin boards have sprung up around the 
country for the sole purpose of exchanging passwords to other peo- 
ple's computer systems. In Virginia alone, three such bulletin 
boards carry information on how to break into computers belong- 
ing to the Defense Department, the Republican National Commit- 
tee, and other groups. 

Senator Simon, it is time to dispel the notion that computer 
crime is not a serious offense. To that end, I introduced legislation 
early in 1985 to strengthen Federal penalties for computer-related 
crimes. That bill, S. 440, was the subject of hearings before Senator 
Laxalt's Subcommittee on Criminal Law last October. 

In the months since, I have worked closely with that chairman, 
Senator Laxalt, and with Congressman Hughes of New Jersey, who 
heads up the appropriate subcommittee in the House of Represent- 
atives, and I believe we have reached a consensus on the proper 
scope of Federal jurisdiction over computer crime. This measure 
before us, S. 2281, embodies that consensus. 

This legislation will assert Federal jurisdiction only in those 
cases in which there is a compelling Federal interest. It will broad- 
en protections currently given computers belonging to the Federal 
Government. It will afford similar protections to computers belong- 
ing to federally insured financial institutions, and it will proscribe 
certain computer crimes that are interstate in character. 

In more specific terms, my proposal will modify slightly the ex- 
isting computer crime statute in order to clarify its intent. For ex- 
ample, the Justice Department has expressed concerns about 
whether present law covers acts of simple trespass on Government 
computers or whether it requires a further showing that the data 
was used or modified. 

S. 2281 will make it clear that the present subsection (aX3) is a 
trespass offense. In addition, my bill will delete entirely the provi- 
sion in the present computer crime law relating to conspiracies. A 
conspiracy to commit a computer crime will be covered instead by 
"^e general Federal conspiracy statute, 18 U.S.C. 371. 

\ 2281 will also broaden the protections presently given data re- 
/ng to individuals' credit histories to include computerized 
i<K:ords of all customers, individual and corporate, of federally in- 
sured financial institutions. 

Now, in addition, this legislation will create several new comput- 
er crime offenses, and let me enumera^ ^ those very briefly. 

The new section (aX4) will penalize thefts of property via comput- 
er that are committed with an intent to defraud. It will require a 
showing that the use of the computer was integral to the intended 
fraud and was not merely incidental. 

The bill will also proscribe intentional destruction of computer- 
ized property belonging to another. Such an act may include out- 



right deletion of information or substantial damage to it. It may 
also include an act intended to alter another's computer password, 
thereby denying them access to their own data. 

In either case, this legislation will ensure that destruction of 
computerized data is punished as surely as we now punish abuses 
in more traditional forms of property. 

Now, both the theft and the destruction of property will be cov- 
ered by this bill when they are committed against computers be- 
longing to the Federal Government or to federally insured finan- 
cial institutions. Moreover, the same offenses will be covered when 
the computers involved are located in two or more different States. 

Finally, this bill will permit prosecution of those individuals who, 
possessing a clear intent to defraud, traffic in computer passwords 
belonging to othere. As I have mentioned, several pirate bulletin 
boards are operating in my home State of Virginia which now 
carry information on how to break into computers belonging to 
others. This legislation will provide misdemeanor penalties for such 
a crime. 

Mr. Chairman, there remains a vast array of computerized data 
that is wholly unprotected against acts of theft, vandalism and 
trespass. In the Government's race to protect this computer data 
against crime, the hour is late. Quite simply, the criminals have 
the technological edge. 

I believe this Congress must act quickly and give Federal pros- 
ecutors the tools to respond to computer-related crimes. Over the 
past several months, as I have said, I have worked closely with 
Senator Laxalt; Congressman Hughes, the Chairman of the House 
Subcommittee on Crime; and several other of our colleagues here 
in the Senate to fashion a computer crime statute that is properly 
focused. 

I believe this measure strikes a proper balance between the clear 
interests of the Federal Government in computer crime and the 
ability of the States to investigate and prosecute such offenses. 

I hope the committee will agree, and I hope the committee, with 
your support and leadership, will move quickly to approve Senate 
bill 2281. 

Senator Simon. I thank you for what appears to be both a good 
and a needed bill. 

Let me ask you one question here, and I am a nontechnical, non- 
computer person. When you talk about simple trespass and making 
that a crime, can simple trespass be accidental? 

Senator Trible. Well, frequently, an offender who has accessed a 
Government computer without proper authorization will not steal 
or damage the computer data. But, nevertheless, the offender is 
treading where he ought not to be, and he should be subject to 
prosecution in appropriate cases, just as surely as someone who 
walks on to, let us say, a sensitive Government property without 
proper authorization. 

So it is my view that there ought to be a law saying that such 
simple trespass is indeed unlawful. But, yes, the answer to your 
question is the simple trespass would be subject to prosecution. 
But, obviously, it would only be subject to prosecution in those 
cases where it was a serious offense. 



ni^"^^^ Simon Is simple trespass something that can happen ac- 
cidentally or must it be intentional? 
Senator Thible. Well, the whole body of this legislation, the 

)Sw *f '■"'^^'^ ^ *° ensure that a Contemplated 

criminal conduct is intentional; that it is unlawful in character. 

Senator Simon We thank you very much. If you would care to 
miSiltes— ^^^^^ ^ to be at another meeting in a few 

thSZ^L?''^"'- '^^l^' ^ ""^^'^^r P^"^ of the last hearing 

that focused on computer crime. I feel like an honorary member of 
this committee I must confess, though, I have got to go mark up a 

bill m the Foreign Relations, so I guess iimrn. up a 

Senator Simon. You are not going to be able 

Senator Trible. I cannot stay, as much as I would like 
Senate Simon. OK, all right. 

Senator Trible. I would like to be here to hear the Department 
of Justice speak m favor of this legislation, but I think I Will have 
to read Victoria's statement instead. 

TilblT All ^ght"' '^^^ ^ ^ assumption on your part. Senator 
Senator Trible. Thank you, sir. 
Senator Simon. Thank you. 

ti,F?l®*P'"flf'"^Qf*f n™®V*^ Senators Trible and Thurmond and 
the text of S. 2281 follow:] 

Prepared Statement of Senator Paul S. Trible 
h^J\^^t!!^'^ appreciate the opportunity to testify today on S. 2281, a bUI I 
Sero72otpu*^;&L"'*' the'gro^y 

lutton *Wi§^D,^d ^r^Sn^; United States has experienced a technological revc 
lution. WidMpread computer use has brought a great many benefits to American 
business and Americans'^ lives. But it has also cr^ a new ti^ "f crimhS-^ 
who uses computers to steal, to defraud, and to abuse the prTpe^of othera 
th^^^m^^^^ ^J^'' American Bar Association fouid tWaJm^t ^e-half of 
those companies and Government agencies that responded had been victimized bv 

mSld^Thi^h~S'$7lo'^?- ^ f™"- those criS^ w^es?^ 

rSthe'i^gSco^lTffe^.*'^ '^'"'^ ^-P"**"- <=^- - 

Du™'*'of°r:J?jl*'^ «P™n8 up around the country for the sole 

purpose of exchanging passwords to other people's computer systems In Virebiia 
fclrin such bulletin boards carry inforSn on how to bT^^to roSra 

Mr%l^^»^ ^'•^"5* Department and the Republican National CommittS^ 
offei^^r^r^l* /« fKo"^ "?ti°" tH computer crime is not a serious 

f"*' \ >ptro<Juced legislation eariy in 1985 to strengthen Federal nenalties 
tn^^"^"*^'"^ crimejhat bill. S. 440. was the sS.jlrtTf LaSi^brfore thi 
^rk^!&^ih1fK°?^^'°'"^ ^^^OcUA>er. In the months sta^T I have 
Z~r of^iJ.*^? °f th^t subcommittee to reach a consensu^ on the 

tKSi^! jurisdiction over computer crime. I believe S. 2281 embodies 

This legislation will assert Federal jurisdiction only in those cases in which there 
fu^„°tTv'^l'^^ ^^^"^ interest. According^. S. 22^1 will broadly toe prSL^ioSI 
Ur^^l^o^ """P"**"^ belonging to the Federal Government. It will ^ord simi- 
A^d'^^^i^ nr^ri}2'"'Pi"?" belonging to federally insure! financial iSLtitSti^s. 
And It will proscribe certam computer crimes that are interstate in nature. 

AMENDMENTS TO PRESENT LAW 

In more specific terms. Mr. Chairman, my proposal will modify slightly the exist- 
ing computer crime statute (18 U.S.C. 1030) in orjerto clarify its inteSt 
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For example, the Justice Department has expressed concerns about whether 
present law covers acts of simple trespass on Government computers, or whether it 
requires a further showing that the data was used or modified. S. 2281 will make 
clear that present subsection (aX3) is a trespass offense. Frequently, an offender who 
has accessed a Government computer without proper authorization will not steal or 
damage the computer data. Nevertheless, the offender in such cases is treading 
where he ought not to be, and he should be subject to prosecution just as surely as 
someone who walks onto sensitive Government property without proper authoriza- 
tion. 

In addition, my bill will delete entirely the provision of the present computer 
crime law relating to conspiracies. A conspiracy to commit a computer crime wdll be 
covered instead by :he general conspiracy statute (18 U.S.C. 371). 

S. 2281 will also broaden the protections presently given data relating to individ- 
uals[ credit histories. It is an offense under existing law to steal computerized infor- 
mation on individuals* relationships with consumer reporting agencies. The premise 
of that offense is to protect the privacy of customers of such agencies. My bill will 
broaden those privacy protections to include computerized records of all custom- 
ers—individual and corporate — of federally insured financial institutions. 

NEW OFFENSES 

In addition, Mr. Chairman, this legislation will create several new computer 
crime offenses. 

The new subsection (aX4) will penalize thefts of property via computer that are 
committed with an intent to defraud. It will require a siiowing that the use of the 
computer was integral to the intended fraud, and vas not merely incidental. An in- 
dividual possessing an intent to defraud should not be punished for merely storing 
information in a computer, any more than he should be punished for storing that 
information in a file cabinet or card file. The use of a computer by one who has 
devised a scheme to defraud should constitute an offense only when the computer 
was used to obtain property of another which furthers the intended fraud. 

This bill will also proscribe intentional destruction of computerized property be- 
longing to another. Such an act may include outright deletion of information, or 
substantial damage to it. It may also include an act intended to alter another's com- 
puter password, thereby denying him access to his own data. In either case, S. 2281 
will ensure that destruction of computerized data is punished as surely as we now 
punish abuses of more traditional forms of property. 

Both the theft and the destruction of property will be covered by this bill when 
they are committed against computers belonging to the Federal Government or fed- 
erally insured financial institutions. The same offenses will be covered when the 
computers involved are located in two or more different States. 

Finally, this bill will permit prosecution of those individuals who, possessing a 
clear intent to defraud, traffic in computer passwords belonging to others. As I have 
mentioned, several pirate bulletin boards are operating in my home State of Virgin- 
ia which carry information on how to break into computers belonging to others. 
S. 2281 will provide misdemeanor penalties for such a crime. 

Mr. Chairman, there remains a vast array of computerized data that is wholly 
unprotected against acts of theft, vandalism, and trespass. In the Government's race 
to protect this computer data against crime, the hour is late. Quite simply, the 
criminals have the technological edge. 

I believe this Congress must act quickly, and give Federal prosecutors the tools to 
respond to computer-related crimes. Over the past several months, I have worked 
closely with Senator Laxalt and Congressman Hughes, the chairman of the House 
Subcommittee on Crime, to fashion a computer crime statute that is narrowly fo- 
cused. I believe this measure strikes a proper balance between the clear interests of 
the Federal Government in computer crime, and the ability of the States to investi- 
gate and prosecute such offenses. I hope that this committee will agree, and will 
move quickly to approve S. 2281. 

I look forward to working with the committee in the days ahead, and I will be 
happy to answer any questions at this time. 



Prepared Statement of Chairman Strom Thurmond 

Good Morning. Today we are here to examine legislation that will provide addi- 
tional penalties for fraud and related activities in connection with computers and 
access devices. 
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This proposed legislation has a two-fold objective. First, it is designed to make 
necessary adjustments to title 18, section 1030, of the United States Code to allow 
for more effective punishment of individuals who commit computer crime. Second, 
this legislation will add new computer crime offenses to section 1030 not contem- 
plated in the original legislation. This compelling expansion of section 1030 offenses 
will act to protect those private entities who store confidential information on com- 
puters not subject to public disclosure. As well, the expansion of prosecutable of- 
fenses will protect the United States Government as well as private eritities from 
suspecting individuals who access computers to commit fraud and to alter or destroy 
stored data that could not be replaced. 

I welcome a panel of distinguished witnesses from organizations who rely on com- 
puters in their day to day businr^ operations. I am confident that today's witnesses 
will provide invaluable insight into this proposed legislation that will enhance and 
improve the present Federal legislation. 
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99th congress 
2d Session 



S. 2281 



To amend title 18, United States Code, to provide additional penalties for fraud 
and related activities in connection with access devices and computers, and 
for ry .r*r purposes. 



m THE SENATE OF THE UNITED STATES 

Apbil 10 (legislative day, ApBa 8), 1986 
Tbible (for himself, Mr. Laxalt, Mr. Dbnton, Mr. AbmstbOno, and Mr. 
Dixon) introduced the following bill; which was read twice and referred to 
the Committee on the Judiciary 



A BILL 

To amend tide 18, United States Code, to provide additional 
penalties for fraud and related activities in connection with 
access devices and computers, and for other purposes. 

1 Be it enacted by the Senate and House of Representor 

2 tives of the United States of America in Congr^ assembled, 

3 SECTION 1. SHORT TITLE. 

4 This Act may he cited as the "Computer Fraud and 

5 Abuse Act of 1986". 

6 SEC. 2. SECTION 1030 AMENDRfENTS. 

7 (a) Modification of Definition of Financial In- 

8 stitution.— Section 1080(aK2) of tide 18, United States 

9 Code, is amended — * 
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2 

1 (1) by striking out "knowingly" and inserting "in- 

2 tentionally" in lieu thereof; and 

3 (2) by striking out "as such terms are defined in 

4 the Right to Financial Privacy Act of 1978 (12 U.S.C. 

5 3401 et seq.),". 

6 (b) Modification op Existino Qovbbnment Com- 

7 PUTEB8 Offense. — Section 1030(a)(3) of title 18, United 

8 States Code, is amended — 

9 (1) by striking out "knowingly" and inserting "in- 

10 tentionally" in lieu thereof; 

11 (2) by striking out ", or having ^.ccessed" and aU 

12 that foUows through "prevents authorized use of, such 

13 computer"; 

14 (3) by striking out "It is not an offense" and aU 

15 that foUows through ""use of the computer/'; and 

16 (4) by striking out "if such computer is operated 

17 for or on behalf of the Government of the United 

18 States mi such c<mduct affects such operation" and 

19 inserting in lieu thereof "if such computer is ezclusive- 

20 ly for the use of the €k>vemment of the United States 

21 or, in the case of a computer not exclusively for such 

22 use, if such con^ater is used by or for the Government 

23 of the United States and such conduct affects such 

24 use". 
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(c) Modification op Authoeized Access Aspect 



2 OF Offenses. — Paragraphs (1) and (2) of section 1030(a) of 

3 title 18, United States Code, are each amended by striking 

4 out or having accessed" and all that foUows through "does 

5 not extend" and inserting "or exceeds authorized access" in 

6 lieu thereof. 

7 (d) New Offenses.— Section 1030(a) of title 18, 

8 United States Code, is amended by inserting after paragraph 

9 (3) the foUowing: 

10 "(4) knowingly and with intent to defraud, access- 

11 es a Federal interest computer without authorization, 

12 or exceeds authorized access, and by means of such 

13 conduct furthers the intended fraud and obtains any- 

14 thing of value, unless the object of the fraud and the 

15 thing obtained consists only of the use of the computer; 

16 "(5) intentionally accesses a Federal interest com- 

17 puter without authorization, and by means of one or 

18 more instances of such conduct alters information in 

19 that computer, or prevents authorized use of that com- 

20 puter, and thereby causes loss to another of a value 

21 aggregating $1,0(X) or more during any one year 

22 period; or 

23 "(6) knowingly and with intent to defraud traffics 

24 (as defined in section 1029) in any password or similar 
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1 information through which a computer may be accessed 

2 without authorization, if — 

3 ''(A) such trafficking affects interstate or for- 

4 eigu commerce; or 

5 **(B) such computer is used by or for the 

6 Government of the United States;". 

7 (e) Elimination op tSbction Specific Conspibacy 

8 Offense.— Section 1030(b) of title 18, United States Code, 

9 is amended — 

10 (1) by striking out "(1)"; and 

11 (2) by striking out paragraph (2). 

12 (t) Penalty Amendments. — Section 1030 of title 18, 

13 United States Code, is amended — 

14 (1) by striking out ''of not more than the greater 

15 of $10,000" and all that follows through "obtained by 

16 the offense" in subsection (c)(1)(A) and inserting 

17 ''under this title" in lieu thereof; 

18 (2) by striking out "of not more than the greater 

19 of $100,000" and all that follows through "obtained by 

20 the offense" in subsection (c)(1)(B) and inserting 

21 "under this title" in lieu thereof; 

22 (3) by striking out "or (a)(3)" each place it ap- 

23 pears in subsection (cK2) and inserting ", (a)(3) or 

24 (a)(6)" in lieu thereof; 
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1 (4) by striking out "of not more than the greater 

2 of $5,000" and all that follows through "created by 

3 the offense" in subsection (cK2KA) and mserdng 

4 "under this title" in lieu thereof; 

5 (5) by striking out "of not more than the greater 

6 of $10,000" and all that follows through "created by 

7 the offense" in subsection (c)(2)(B) and inserting 

8 "under this title" in lieu thereof; 

9 (6) by striking out ' 'not than' ' in subsection 

10 (c)(2)(B) and inserting "not more than" in lieu thereof; 

1 1 (7) by striking out the period at the end of subsec- 

12 tion (c)(2)(B) and inserting "; and" in lieu thereof; and 

13 (8) by adding at the end of subsection (c) the 

14 following: 

15 "(3)(A) a fine under this title ur imprisonment for 

16 not more than five years, or both, in the case of an 

17 offense under subsection (a)(4) or (a)(5) of this section 

18 which does not occur after a conviction for another of- 

19 fense under such subsection, or an attempt to commit 

20 an offense punishable under this subparagraph; and 

21 "(B) a fine under this title or imprisonment for 

22 not more than ten years, or both, in the case of an of- 

23 fense under subsection (a)(4) or (a)(5) of this section 

24 which occurs after a conviction for another offense 
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1 under such subsecdcn, or an attempt to conunit an of- 

2 fense punishable under this subparagraph.". 

3 (g) CONFOBMINO AMENDBiENTS TO DeFIKITIONS PbO- 

4 VISION.— Section 1030(e) of title 18, United States Code, is 

5 amended — 

6 (1) by striking out the comma after "As used in 

7 this section" and inserting a one-em dash in lieu 

8 thereof; 

9 (2) by aligning the remaining portion of the sub- 

10 section so that it is cut in two ems and begins as an 

11 indented paragraph, and inserting "(1)" before "the 

12 term"; 

13 (3) by striking out the period at the end and in- 

14 serting a semicolon in lieu thereof; and 

15 (4) by adding at the end thereof the following: 

16 '(2) the term 'Federal interest computer' means a 

17 computer — 

18 "(A) exclusively for the use of a financial in- 

19 stitution or the United States Government, or, in 

20 the case of a computer not exclusively for such 

21 use, used by or for a financial institution or the 

22 United States Oovemment and the conduct con- 

23 stituting the offense affects such use; or 
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1 "(B) which IB one of two or more computers 

2 used in committing the offense, not aU of which 

3 are located m tlie same State; 

4 "(3) the term 'State' mcludes the District of Co- 

5 lumbia, the Commonwealth of Puerto Bico, and any 

6 other possession or territory of the United States; 

7 "(4) the term 'financial institution' means — 

8 "(A) a bank with depodts insured by the 

9 Federal Deposit Insurance Corporation; 

10 "(B) the Federal Reserve or a member of the 

11 Federal Reserve including any Federal Reserve 

12 Bank; 

13 "(C) an institution with accounts insured by 

14 the Federal Savings and Loan Insurance Corporar 

15 tion; 

16 "(D) a credit union with accounts insured by 

17 the National Credit Union Administration; 

18 "(E) a member of the Federal home loan 

19 bank system and any home loan bank; and 

20 "(F) any institution of the Farm Credit 

21 System under the Farm Credit Act of 1971; 

22 "(5) the term 'financial record' means information 

23 derived from any record held by a financial institution 

24 pertaining to a customer's relationship with the finan- 

25 cial institution; and 
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1 "(6) the term 'exceeds authorized access' means 

2 to access a computer with authorization and to use 

3 such access to obtain or alter information in the com- 

4 puter that the accessor is not entitled so to obtain or 

5 alter.". 

6 (h) Law Enfobcebcent and Intellioence Activi- 

7 TT Exception. — Section 1030 of tide 18, United States 

8 Code, is amended by adding at the end the foUowing new 

9 subsection: 

10 "(f) This section does not prohibit any lawfully author- 

11 ized investigative, protective, or intelligence activity of a law 

12 enforcement agency of the United States, a State, or a politi- 

13 cal subdivision of a State, or of an intelligence agency of the 

14 United States.". 

O 
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Senator Simon. Victoria Toensing, if I am pronouncing it correct- 
ly, the Deputy Assistant Attorney General. 

STATEMENT OF VICTORIA TOENSING, DEPUTY ASSISTANT AT- 
TORNEY GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF 
JUSTICE 

Ms. Toensing. Good morning. 

Senator Simon. Thank yor very much. We welcome you. 

Ms. Toensing. Good morning, Mr. Chairman. I have a much 
longer complete statement that I would like to submit for the 
record. 

Senator Simon. It wUl be in the record. 

Ms. Toensing. And I promise to make my own remarks shorter. 
I also had to promise Senator Trible that I would be positive in my 
statements, Mr. Chairman, so I am going to do the best that I can. 

I testified before this committee last fall and explained the prob- 
lems that the Justice Depau-tment had on the present computer 
crime act; we were really having a great deal of problems with it. 

At that time, I promoted the administration's computer crime 
bill. I would like to commend the subcommittee and, in particular. 
Senators Trible and Laxalt for all the work that they have done. I 
worked on Senate staff myself for 3 years, so I know all the work 
that the staff has also done on this project. 

The present bill is much improved for us in addressing the prob- 
lem of computer crime. What I would like to do is put on the 
record that we are basically supporting S. 2281. We are still look- 
ing at it with some hope for getting a few more changes in it that 
we think will make it easier for us to prosecute. 

Let me outline for you the four main principles that we would 
like to see in a computer crime bill. Before I do that, I would like 
to explain that when I use the shorthand term of "Federal comput- 
er," what I really mean ic that it is a computer owned or operated 
on behalf of the United States or of a federally insured financial 
institution. But I will use the shorthand of just a "Federal comput- 
er" so we all know what we are talking about. 

The first principle that we would like to see is that it be a crime 
to have unauthorized access to any kind of Federal computer with- 
out the Detaining of any information. It is simply that there should 
not be any unauthorized access.* 

No. 2, that there be a computer fraud offense that is patterned 
after our present fraud statutes, and that this apply to both the 
Federal computers and to certain situations where there would be 
Federal jurisdiction; in other words, two computers crossing State 
lines or a computer in one State and in a foreign country. 

Good morning, Mr. Chairman; good to see you. 

Senator Laxalt [presiding]. Good morning. How are you? 

Ms. Toensing. Fine. 

Mr. Chairman, I was just praising you. You missed the praises on 
the record, but the Department of Justice was just thanking you 
and your staff and Senator Trible and his staff for all the work 
that you have put into this. 

Senator Laxalt. Thank you. 

Ms. Toensing. It is looking good. 
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Senator Laxalt. Thank you. 

Ms. ToENsmc. We just have a couple more requests. 

I was discussing the four principles that a computer crime bill 
should have. I just outlined two of them very briefly. The third one 
is covering computer destruction. We wanted it to be a crime to 
cover the destruction of any kind of Federal computer; and, fourth, 
a forfeiture provision. 

If I could just go through those very, very briefly, Mr. Chairman, 
and tell you what little technical changes we would like to see. 

On the computer access, the bill very ably covers unauthorized 
access if the computer is a Federal computer that is used exclusive- 
ly by the Federal Government, but it does not cover it if it is a fed- 
erally financed insured institution. 

We think that they should be treated the same; that a person's 
financial records should not be accesses in an unauthorized 
manner any more than records in a Federal computer. What we 
would suggest is perhaps we could insert the word observe'' in the 
text, and my staff can work with — it is in my statement where it 
should be, but in addition to "obtain," to "observe," so that no one 
would be looking at someone else's financial records. 

The second provision, the fraud provision, Mr. Chairman— the 
bill, as it is written, provides a fraud offense for Federal computers. 
We have two concerns with that. One of them is that it requires us 
to prove that not only is the computer accessed with the intent to 
defraud and that such access as furthered the fraud scheme and al- 
lowed the defendant to obtain something of value, but we also have 
to prove that this computer was accessed without authorization or 
that the person exceeded the scope of his or her authorization. 

That concerns us. We are looking at the fraud offense as a fraud, 
and that is the heart of the crime; that is the sin that we are talk- 
ing about. The unauthorized access is an additional sin that one 
should not do, but we would not like that as part of the fraud of- 
fense. Let me explain to you why on two counts. 

One: What if the owner of the computer or Government supervi- 
sor is in on the scheme? It could make it difficult for us as prosecu- 
tors to prove that it was actually unauthorized because the person 
could have had permission to go beyond what we would consider to 
be the scope. 

The other problem is it gets into a messy jury issue where you 
start arguing over whether the person was authorized or not au- 
thorized, and people forget to look at the real offense, which is the 
fraud or the scheme. Fraud is usually a very difficult element to 
prove in any event because frauds get very complicated when one 
has the mind to use a computer to commit a fraud. 

The other point is that it does not track the old language that we 
know in our other fraud criminal statutes. The concern there, Mr. 
Chairman, is that when we walk into the courtroom and we talk 
about the language that we know in the fraud cases, we have a his- 
tory. We have a precedential value in our fraud cases, so we know 
exactly what the courts are going to look at as to what constitutes 
a scheme to defraud. 

This proposed bill has new language, and what the courts will do 
to us is they will say, "We know that the Congress knew what lan- 
guage was in the fraud statutes and now they have come up with 
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different language, so they must have meant a different kind of 
scheme or a different kind of standard." 

If you feel that you may not want to put it in the statui>e, if in 
the report you could explain you meant the same kind of standard 
or scheme that we have always used in proving fraud cases, it 
would help us. 

I hate to have another kind of fraud standard under the law for 
computer fraud. It does not make sense for us to have to prove dif- 
ferent kinds of frauds for computers than we would have for some- 
one committing a f^ud otherwise. 

Senator Laxalt. Well, does your proposed language track the ex- 
isting language exactly or is it changed somewhat? 

Ms. ToENSiNG. Your language does not track existing language. 

Senator Laxalt. I know ours does not. But your propped lan- 
guage, by way of modification, does? 

Ms. ToENSiNG. Yes. 

Senator Laxalt. Is that your intent? 

Ms. ToENSiNG. Yes. 

Just a minute, Mr. Chairman. I want to make sure — I know we 
submitted it at one time. It is in S. 1678, but my staff will be glad 
to work with anybody on your staff to show where to insert it. 

Senator Laxalt. Well, your statement indicates you are tracking 
S. 1678. Is that true? 

Ms. ToENSiNG. Yes. 

Senator Laxalt. OK. 

Ms. TOENSING. Two other just quick points, Mr. Chairman. On 
destruction, we would ask that you put into the $1,000 limit the 
amount of money that it would take to compute the lost computer 
time and the cost with redoing any program that could have been 
destroyed. 

The last provision is forfeiture. Again, we feel that these are the 
kinds of cases where many times when people use computers, the 
courts, when it comes time for sentencing people, look at them as 
not going to be getting heavy sentences in this area. 

So perhaps one of the deterrent angles would lye to take away 
the thing that the computer criminal holds most dear, and that is 
the computer. We have proposed a forfeiture provision. 

That is the extent of my remarks, Mr. Chairman. I would be glad 
to answer any questions. 

Senator Laxalt. We thank you very much for your presentation. 
In addition, we thank you very much for the cooperation we have 
had from Justice in formulating this bill. 

In connection with your proposed recommendations, I can say 
that, subject, of course, to the staff evaluation and eventual signoff, 
it appears that we can accommodate almost all your suggestions. 

Ms. ToENSiNG. We appreciate that. 

Senator Laxalt. We think they add materially to the bill. We 
have mme a long way in this whole field. I know that I speak for 
the members of the subcommittee when I say that we had no idea 
until the hearings about the tremendous gap that we have in this 
whole field, and it is one that simply has to be covered. 

Judging from what is happening on the House side anc*. what we 
sense is happening here, it may well be that we will have some- 
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thing by the end of this year. I think it would be a remarkable 
achievement in the whole area. 

So we thank you for your time and continued attention. 

Ms. ToENSiNG. We thank you. 

Senator Laxalt. Thank you. 

[The prepared statement and responses to written questions 
foUow:] 
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Mr. Chairrian and Meroberr o* the Coinmittee, I an pleased to 
be here today to present the viewf <^f the Department of Justice 
on S. The Computer Fraud and Abuse Act of 1986. As vou 

know, I testified on October 30, 1985, before the Subcommittee on 
Criminal i^w on the subject of computer crime and at that time 
discussed the shortcomings of the present computer crime statute, 
18 0.S.C. 1030, and described the Administration's computer crime 
bill, S. 167P. 

S. 2781 includes a series of amendments that would 
strengthen section 1030 of title IE; it also contains so?t»p 
provisions that are similar to those in S. 1678. ConseguerTt?v, ■ 
the Department of Justice euoportB S. 2281, although we will 
suggest sore anendnents which w« think would further improve the 
bill. Let me fir^t review some of the features we have said 
should be included in computer crime, legislation. 

Firnt, there should be an offense proscribing the willfu? 
obtaining o' unauthorized access to a computer owned by or 
operated or behalf of the United States or of a federally insured 
financial institution. This "treepassory" type of activitv 
should be made a crime even without a showing that any 
information was obtained or that the unauthorized access 
prevented someone else from legitimately accessing the computer. 

Second, there should be a computer fraud offense, patterned 
after the mail and wire fraud statutes, for fraud schemes 
involvino computers with a particular fednral nexus. We have 
?uqgested that the computer fraud offense should applv where the 
computer involved is owred by or operated on behalf of the United 
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States or a federallv injured financial irstitution, or where the 
offence involves computers located in two or more states or in a 
state and a foreign country. 

Third, it shou' - be a federal crime to destroy willfully and 
without authority any computer owned by or operated on behalf of 
the United States or a federally insured financial institution, 
or any computer program or data contained in such a computer. 

Fourth, conputer crime legislation should contain a criminal 
forfeiture provision under which the defendant's interest in any 
computer involved in one of the three above offenses — unauthor- 
ized computer access, computer freud, or computer destruction — 
could be forfeited tc the govermncr't on his or her conviction. 

Unauthorized Acce^r to Computers 

S. 2281 , contains irrry of these provisions. First, 
subsection 2(b) of the bill amends present section 1030(a)(3) to 
ma)ce it an offense intentionally to make unauthorized access to a 
computer if the computer is used exclusively by the government #5f 
the United States. The amendment eliminates the requirement in 
the present subsection that the person who na)ces unauthoriied 
access to a government computer must also use, modify, destroy, 
or disclose information in, or prevent authorized use of the 
computer. Thus, S. 2281 would establish a true unauthorized 
access offense for federal government computers. The offense 
would be puninhable as a misdemeanor 'or a first offense, 
although a Kccond conviction woulr" be punishable as a felony. He 
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think this is the appropriate punishment level for this offense. 



By contrast, S. 2281 does not contain a "pure" unauthorized 
access offense for federally insured financial institutions' 
computers. Rather, it amends (in subsection 2(a) of the bill) 
Bxibsection 1030(a)(2) to na)ce it an offense to malce unauthorized 
access to a co.nputer and therebv obtain information contained in 
a "financial record" of a "financial institution." The 



1/ The revision of subsection 1030(a)(3) would also cover 
unauthorized access to a computer used only part time by or for 
the government of the United' states. The wording of thip 
provision greatly alleviates another problem in the existing 
1030(a)(3). Presently, 1030 (a)(3) na)ces it a federal crime to 
make unauthorized access to and to use, modify, or destroy 
information in a computer "operated for or on' behalf of the 
Government of the United States J if] such conduct affects such 
operartion." Grannatirallv, it would seem that this should 
recTuire the government to prove onlv that the person's conduct 
affected ;:he operation of the computer. However, the legislative 
history of this provision indicates that the prosecutor must 
prove that the unauthorized access to and the use or destruction 
of the information contained in the computer affects the 
operation of the government. See House Report No. 98-894, 98th 
Cong., 2d Sess., July 24, 1984, p. 22, for a discussion of the 
provision which became 1030(a) (3). It is our understanding that 
the revision of 1030(a) (3) in S. 2281 would make unauthorized 
access to a computer used part time by the government a federal 
crime if it could be shown that the unauthorized access was made 
at anv tine when the federal government was authorized to use it, 
or if the unauthorized "hacker" left some sor'^ of message that 
was discovered when the federal government resumed its use of the 
computer. We would suggest, however, that to nalce this 
absolutely clear the revised 1030(a)(3) should read: "[Whoever] 
intentionally accesses a computer without authorisation if such 
computer is exclusively for the use of the Government of the 
United States or, in the rase of a computer not exclusively fcr 
such use, if such computer is used by or for rhe Government o' 
the United Statec and such corduct affects the use of the Federa?. 
Government*? operation of the computer." 
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requirement that a person "obtain information" makes this 

somethinn other that an unauthorized access offense- Since 

ruiranaqing through bank files is, in our view, conduct deserving 

of punishment even if no information is actually obtained, and 

since federally insured financial institutions are deserving of 

the protection of federal criminal lavs, we favor an unauthorized 

offense for this activity. 

Nevertheless, subsection ?Aa) of the bill, coupled with the 

bill's subsequent definition of 'financial record" as 

"information derived from anv record held by a financial 

institution pertaining to a customer's relationship with the 

financial institution," represents an improvement over the 

present subsecticn 1030 (f!)(2). The present 1030 (a)(2) prohibits 

only unauthorized a<"CftSs to a financial institution's computer to 

obtain information in the acmunt of an individual or a 

partnership of five, or fewer persons. The revised lC30(a)(2) 

would reach obtaining information about corporate accounts at thr 

financial inst-jtut5.on, and loans to all individuals and bu?5ineEE 

entities (since the individuals and businesses who have received 

2/ 

the loans are all "customers" of the bank) . — 



2/ It would not, howftver, rover — as we think should be covered 
— obtaining information about tho financial institution itself, 
such as its deposits in othnr banks, itc loan policies and 
criteria, or lists of itr shareholders. 
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Computer Fraud 



S. 2281 also contains a computer fraud offense, flection 
2(d) of the bill sets out a new subsection 1030 (a) (4) which would 
punish one who ")cnowingly and with Intent to defraud, accesses a 
Federal Interest conputer without authorization, or exceeds 
authorized access, and by means of such conduct furthers the 
Intended fraud and obtains anythina of value, unless the object 
of the frflud and ihe thina obtained consists only of the use of 
the computer." The term "Federal Interest computer" Is defined 
to mean a computer used bv the United States Government or by a 
federally insured finftnrlal Institution, — ^ or which is one of 
two or more -:oir.puters used ir committing the offense, not all of 
which are located In the same state. Thus, we think that the 
computer fraud offenre in ?, 2281 covers the type of computers in 
which there is a legitimate federal interest. 



3/ The tern "financial institution" is defined somewhat 
differently in S. 2281 from its definition in the 
Admlnlfitratlon's bill, S. 1678. In both bills the term Includes 
federally Insured hanks, savings and loan associations, and 
credit unions, and member banks of the Federal Reserve and of the 
hone loan bank system, in S. 1678, the term also Includes a 
member or business Insured by the Securities Investor Protection 
Corporation and a broker-daaler registered with the Securities 
and Exchange Connlsslon. These businesses are not Included in 
the definition in S. 2281 although S. XXXX*8 definition does 
Include any institution of the Farm Credit System under the Farm 
Credit Act ef 1971." We are not opposed to covering Farm Credit 
System computers In the definition, but we believe computers of 
federally reclntered or insured brokerage firms are equally 
deserving of federal coverage. 
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However, the gravamen of the computer fraud offense in 
S. 2281 is misplaced, in our view. S. 2281 requires the 
govemaent to prove not only that the computer was accessed with 
intent to defraud, and that the access furthered the fraud and 
allowed the defendant to obtain something of value (other than 
the use of the conputer) , but also that the access was without 
authorization or exceeded the scope of authorized access. -'^ As 
1 said at the hearing last Fall, we can see no valid reason why a 
computer fraud offense should include a requirement that the 
government prove the defendant lacked authority, or exceeded his 
authority, to access the computer involved in the offense. What 
is involved is an economic crime, an attempt to steal money or 
other property. Whether it was done by authorized or 



4/ S- 2281 does cover preventing authorized use of a Federal 
interest computer in a new subsection 1030(a)(5). That 
subsection sets out a felony of intentionally accessing such a 
computer without authorization and by means of one or more 
instances of such conduct altering information in the computer or 
preventing unauthorized use of the computer, if the person's 
conduct also causes a Iosf to another of $l,oOT or more durino 
any twelve-month period. 

5/ S. 2281 substitutes the phrase "exceeds authorized access* 
Tor the cumbersome phrase "or having accessed a computer with 
authorisation, uses the opportunitv Buch access provides for 
purposes to which such authorization does not extend" throughout 
section 1030. The phrase "exceeds authorized authority" is 
defined in a new subsection 1030(e)(6) as "to access a computer 
with authorization and to use such access to obtain or alter 
information in the computer that the accesser is not entitled to 
so obtain or alter." We would suggest that this definition would 
be improved if the word "observe," was inserted before the word 
"obtain" both places It appears. This eliminates the problem of 
having to prove asportation, a difficult concept when an 
intangible, like information, is involved. 
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unauthorized computer access should be Irrelevant. Proving thp 
defendant's lack of authoritv could, in many cases, divert the 
jury's attention from what should be the central issue of whether 
the defendant devised a schene to defraud, and if he did, did he 
access a computer in which there is some statutorily defined 
federal interest in carrying out the schene. Again, we would 
urge the Committee to adopt thin concept. Moreover, we recommend 
adoption of the computer fraud language contained in S. 1678 
which tracks the mftil ard wire fraud provisions so as to preserve 
the considerable body -*5f case law that has been developed under 
them, a familiar area of the lav to the vast majority of federal 
prosecutors and judges. 

Computer Destruction 

For the offense of deptroving a computer, a computer 
program, or computer data, S. 2281 sets out a nev subsection 
1030(a)(5) which is sopfwhnt similar to the approach taken in 
S. 1678- The new 1030 (n) (5) in S. 2281 would provide for 
punishment at the felony level for whoever "intentionally 
accesses a Federal interest computer without authorization, and 
by means of one or more instances of such conduct alters 
information in that computer, or prevents authorized use of that 
computer, and thereby causes loss to another of a value 
aggregating SI, 000 or more during any one year period." It is our 
understanding that this is intended to be a "malicioup damage" 
provision. The ^1 ,000 threshold is intended to exclude such art.r 
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an a hacker's leaving his name or a message on a covered 
computer, although I would note that if the computer involved %ras 
one oimed by the federal government — as opposed to a computer 
ovned by a financial institution or one owned by a private party 
and accessed through another computer in another state — such an 
act would still be punishable as a misdemeanor under 1030 (a) (3), 
the unauthorized access offense. 

The comparable offense in S. 1678 covers damaging, 
destroying, or attempting to damage or destroy a computer owned 
bv or operated for the United States Government or a financial 
institution, or any computer progr2un or data contained in such a 
computer. In draftina thin provision, we felt that the role of 
the federal government should be limited, at least at first, to 
computer damage cases where the federal interest in the computer 
is the strongest. Accordingly, S. 1678 does not cover damage to 
a computer or computer data ir one state by means of a computer 
in another state. If the Committee, nevertheless, believes that 
federal jurisdiction should be asserted over such an offense, at 
least where the damage amount r< to $1,000 or more, we will not 
oppose it. We would, however, suggest that the legislative 
history of the proposed new subsection 1030(a) (5) in S. 2281 
should ma]ce it clear that, in computing the eunount of loss to 
reach the $1,000 threshold, such factors as lost computer time 
necessitated while erasing unauthorized entries in the computer, 
and the costs associated with checking and, if necessary, 
redoing an altered computer program should all count. 
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Forfeiture Provisions 

S. 2281 does not contain a criminal forfeiture provision. 
As I indicated in iny October testimony, forfeiture of the 
defendant's interest in the computer involved in the offense 
%pould often be an appropriate punishment, esp<:oially for a person 
convicted of the misdemeanor offense of making unauthorized 
access to a government computer. Realistically, few such persons 
are going to receive jail time for their first conviction. While 
they could receive a fine of up t:o $100,000, few defendants — 
even the typically well educated ones clever enough to use their 
home or business computer to "hack" into a government computer 
network — have an\'where near the type of assets necessary to pav 
such a fine. Forfeiture of the "hacker's" prized computer may be 
a very effective punishment, especially in cases where the 
defendant achieves a „ort of "celebrity" status among his fellow 
computer buffs by having his defeat of the government's computer 
security system publicized by hir, misdemeanor conviction without 
any other real punishment. 

Miscellaneous 

In addition to those mentioned, S. 2281 makes other changes 
in section 1030 of title 18 which are generally helpful. It sets 
out a new offense in subsection 1030(a)(6) to proscribe traffick- 
ing in any password or simila^r information through which a 
computer may be accessed without information, with intent to 
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defraud, if the trafficKing affects interstate or foreign 
cOBBerre or the computer to which the password applies is used- by 
or for the Government of the United States. It is our 
understanding that the conduct aimed at here is the creation and 
use of "pirate bulletin boards" used by "hackers" to display 
passwords to costputers. Such an offense would appear to be 
warranted. Requiring that the trafficking be done with intent to 
defraud is too restrictive, however, with respect to the 
passwords for government computers. Selling or sharing at no 
cost passwords to allow a multitude of hackers to peruse 
government computer-stored information should be at least a 
misdemeanor, without anv showing that the other hackers intended 
to defraud the government. 

S. 2281 substitutes the word "intentionally" for the terra 
"knowingly" in 1030(a) (2> and (3) for the mental state required 
for the offenses involving the unauthorized obtaining of informa- 
tion in financial institution computers and making unauthorized 
access to a Government ropputer. While we understand that this 
is intended as a slightly higher state of mind which would insure 
that an inadvertent computer trespass could not be prosecuted, we 
do not want it construed to prevent prosecution of a person whose 
initial access was inadvertent but who then deliberately 
maintained contact, perhaps for several days. In our view, such 
conduct should be prosecuted. He would prefer to retain the use 
of the word "krowingly" and allow the sound discretion of federal 
prosecutors to weed out the truly inadvertent (and quickl'^' 
discontinued) computer trespassres. In the alternative r the 
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legislative his*^ory of the bill should include an averral of 
intent to reach the offenrler who "intentionally" maintains accp 
after a non-int«ftticnal initial contact. 

Mr. Chairman, although I have mentioned several areas in 
which ve would pt^efer to see S. 2281 amended, it represents a 
substantial improvement over present law and over many other 
computer crime Pxlln introduced in the Senate and the House. I 
%#ould liKe to c^'Jigratulete thr Committee and its staff for its 
work in this di^^icult area. Kr. Chainran, that concludes my 
prepared testim^J^V ard I would be happy to answer any questions 
at this timo. 
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Waahlngton, D.C. 20510 

Dear Mr. Chairman: 

Enclosed are responses to questions submitted by you and by 
Senator Specter following the April 16, 1986, hearing on S. 2281, 
■The Computer Fraud and Abuse Act of 1986." 

I hope this Information will be of assistance to the 
Conmlttee. 



RESPONSES TO QUESTIONS OF SENATOR THURMOWD RE COMPOTER CRIME 

Question 1: There are proposed anendxnenta to Section 
1030(a) (2) and 1030(a)(3). These amendments would replace the 
word "luiowiagly" with the word "intentionally" such that these 
aforenentioned sections would require that prior to prosecution a 
person would have to * intent iona 1 ly access a computer" as opposed 
to " knowingly access a computer." I believe that this requires a 
stricter standard of proof to successftrlly prosecute an act of 
covpater fraud. Do you agree with my assescment of this 
aaendment? Why or why not? 

Res^nse : S. 2281 would amend 18 U.S.C. 1030(a)(2) and 
(a) (3) » sections which deal with unauthorized access to computers 
containing certain types of financial information and with 
unauthorized access to government computers, respectively. 
S. 2281 also adds a new computer fraud offense as 1030(a)(4). 
The state of mind for the new computer fraud offense is that the 
defendant acted ")cnowingly." 

Tou are correct, however, in noting that the state of mind 
for the offenses set out in 18 U.S.C. 1030(a)(2) and 1030(a)(3) 
would be changed by S. 2281 from ")cnowingly" to "intentionally." 
Thia is a stricter standard of proof which, we understand, waa 
added to insure that persons who inadvertently made the type of 
unauthorized conputer access proscribed in these two provisions 
would not be prosecuted. As we noted in our prepared testimony, 
at pages 10-11, we would prefer to retain the use of the word 
"knowingly" and rely on sound prosecutorial discretion to weed 



Sincerely, 




VJjohn R. Bolton 
Assistant Attorney General 



35 



32 



out truly inadvertent unauthorized access cases. Our concern 
here is that an "intentional* standard might be argued to 
preclude the prosecution of a person who inadvertently made an 
unauthorized access to one of the covert computers and then 
deliberately maintained contact for several days. We suggested 
that if the Comittee decides to replace the word "knovingly* 
with "intentionally" in these provisions it make clear in the 
legislative history that it intends that the revised provisions 
are still intended to reach a person who "intentionally* 
maintains access after a non-intentional initial contac*.. 

Question 2: This amendment creates new offenses. One such 
offense allows for prosecution of an individual who after 
accessing a computer alters information in that computer. 
(1> What particular problems have there been with individuals who 
access a compuiter and then alter information? (2) Once this 
information is altered or destroyed , is it possible to replace 
it? 

Response ; There were at least three instances in 1985 
where r for a fee, persons used their home computers to alter 
other persons* credit ratings in credit reporting agency files. 
The operator of the computer simply views and alters, but does 
not "obtain" the credit history information as is required under 
18 u.S.C. 1030(a)(2) as it is presently written. 

There are, of course, a wide range of other institutions not 
covered by the statute such as motor vehicle departments, 
universities, hospitals, and insurance companies where the same 
thing could happen. Simply changing an address in a computer 
file for the delivery of funds or sensitive equipment and then 
changing the file bac)c so that it reflects the proper address is 
another type of problem. 

If the organization whose computer is involved has 
"bac)ced-up" the altered file and stored the bac)c-up separately, 
the information could be restored. Otherwise, altered 
information typically stays altered. 

Question 3t Are the majority of the problems with illegal 
computer access centered around inside employees or outside 
individuals? 

Response s It has been our experience that most illegal 
computer access problems are centered around inside employees. 
He base this primarily on the fact that the majority of the 
approximately SO computer related cases investigated by the 
agency Inspectors General in the past three years have been 
employee-related. Outside access is a recent phenomenon due to 
improved technology. 

RESPOMSES TO QUESTIONS FROM SENATOR SPECTER RE COMPDTER CRIME 

Question 1: Although the Comprehensive Crime Control Act of 
1984 aadressed computer-related offenses, new legislation may be 
needed in this complex area. What is your view regarding the 
inclusion of new offenses for theft or intentional destruction of 
computer data? 

Response t We thin)c both offenses should be included as part 
of any computer crime bill. Both are in S. 2281. 

yaestion 2: This legislation being considered today presents 
a different approach to new, complex crimes involving the use of 
computers. What is your view regarding the bill*s distinction 
between theft of information and unauthorized access? Do you 
believe the penalties in the legislation are adequate for this 
felony and misdemeanor respectively? 

Response ; S. 2281 would amend 18 C.S.C. 1030(a)(3) to 
proscribe making unauthorized access to a computer used 
exclusively by the Government of the United States or to a 
computer used part time by the government if the unauthorised 
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access affects the government's use. In a prosecution under the 
revis^l section 1030(a)(3) it would not be necessary for the 
govem^nt to prove that the defendant obtained anything of 
value, such as inforaation. For that matter, it %rould not be 
necessary to prove that the defendant even observed any par- 
ticular InforMtion or data in the co«puter system, just that he 
made the access without authority. 

S. 2281 would also amend 18 D.S.C. 1030 by adding a new 
paragraph 1030(a)(4) setting out a computer fraud offense. It 
would proscribe accessing a "Federal interest computer- (a term 
defined in the bill) without authority or in excess of one's 
authority, knowingly and with intent to defraud, and by means of 
such conduct furthering the intended fraud or obtaining anything 
of value other than just the use of the computer. Clearly, the 
phrase anything of value" would include information contained in 
the computer. One who obtains information obtains much more than 
just the use of the computer. Merely obtaining the use of the 
cosputer (without the additional showing that some information 
was obtained) is to be punished as an unauthorized computer 
access. 



We have no objcKrtion to this distinction between theft of 
inforMtton in a cosq^uter and unauthorized computer access. We 

believe S. 2281 striJces the proper balance in punishing the 
obtaining information* offense as a felony and the unauthorized 
access offense as a misdemeanor. We note that a second convic- 
tion of The unauthorized access offense irould be punished as a 
felony. We also favor this provision. 

complexities of computer-related crime 
5iii rSSfn- i;""!?.f? jurisdiction. What is your 

the bill- a limitation of Federal jurisdiction to 

to ?Si ^LiS?a??«n^i^*''^"^^'^^"' * specific loss value pursuant 
to the legislation is a viable means to define jurisdiction? Do 
you^have any additional suggestion, regarding the jurisdiction 



Response; Initially, as indicated in answer to the last 
S^?^^l7?''f"i.^?f^~'^^^^°" ^» ^^^^^^ t° felonies. There 
izel^^^^L^^o 1! J ^''^ ^^t misdemeanor of ma)cing unauthor- 

I Sioh? fSS ttnt S«°P"^«,"»«? *>y the United states government. 

^^A^ * "f offense of traffic)cing in computer 

iK:d':S.>fn;r"' " • 1030fa)?6), is ^so 

S. 2281 does, however, set out a specific loss value in its 
f^5J# ^ computer damage offense, the new 18 U.S.C. 

inllLllL This offense punishes as a felony the intentional 
?n?o™?lo 4 federal interest computer and either altering 
;jf^^!^r2 computer or preventing authorized access to 

the computer , ther^y causing a- loss of $1,000 or more during a 
one year period. The setting of the $1,000 floor was apparently 
an attempt to ensure that only cases involving a significant loss 
"^11 " felonies, although%s we'exptaSed a? 

wf ^ prepared statement if the computer involved was 
one owned by or operated on behalf of the federal government, the 
?olS?:^$?"^fK^ punished as a misdemeanor under 18 u.S.c! 
1030(a)(3), the unauthorized access offense. Normally, the 
S^fl?^"^ « •^"?^^*=^^ opposes provisions requiring the proof of a 
oTltHf in3 /"i^f because they can provide difficult problems 
of proof and lead to unjustifiable acquittals of guilty defen- 

S'!) ?;;J^*'r'^}'"' ^ "-l^" that substantial'Suppirt haS 
developed for this provision, and have not opposed itV However, 
in our prepared statement we suggested that the legislative 

^iSn?3 ■ "'^^ factors should be 

counted in reaching the $1,000 floor such as lost computer time 
^ ?5J?* J' unauthorized computer entries and the costs associ- 

checking and, if necessary, redesigning an altered 
comparer program. 
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Senator Laxalt. Our next witness, then, will be Joseph Tomp- 
kins, who is an attorney here with Sidley & Austin. 

Mr. Tompkins, we thank you for your past cooperation and help 
through the ABA. It is my understanding that you do not have any 
written statement, as such, and that is probably refreshing. 

STATEMENT OF JOSEPH TOMPKINS, ATTORNEY, SIDLEY & 
AUSTIN, WASHINGTON, DC 

Mr. Tompkins. I apolc^ize for not having a written statement, 
Mr. Chairman. It was only a few days ago that I was asked to 
present testimony, but I will be glad to submit a written statement 
following the hearing today if that would be helpful. 

Senator Laxalt. Tliat would be entirely satisfactory. 

Mr. Tompkins. Thank you. 

Senator Laxalt. I would like you, for the benefit of the members 
of the committee, to give tis your frank impressions of the present 
l^islation together with some of the modifications that have been 
proposed by Justice and others. 

Mr. ToBCPKiNS. I will do the best that I can. 

As I think you know and others know, I have been serving as 
chairman of the ABA Criminal Justice Section Task Force on Com- 
puter Crime, and it is our task force that published the computer 
crime report in June 1984. 

For that reason, we have kept close track of the legislation on 
the subject. 

Senator Laxalt. Incidentally, for the record, the report has been 
enormously helpful to us in the process of this l^^lation. We 
thank you for that. 

Mr. Tompkins. Well, I appreciate your saying that. The response 
to the report has been— I think overwhelming would be an accu- 
rate description of the interest and the followup that we have had 
after it was published. 

I should make clear that any remarks I make today are my 
views only. I am not in a position to speak on behalf of the ABA. 

Senator Laxalt. The record will note the disclaimer. 

Mr. Tompkins. Or for anyone else, for that matter. 

In general, I think the proposed revisions included in the legisla- 
tion are a step in the right du-ection. They broaden the scope of the 
existing computer crime statute in some laudatory ways. 

They clarify some terms and provisions of the existing statute in 
a useful way, and they refine and rationalize some of the sanctions 
available. 

Senator Laxalt. Have you had to work with the bill yourself as 
a practitioner? 

Mr. Tompkins. I have given advice to some clients on the bill, 
yes, sir. I have not been involved in a proceeding under the bill. 

Senator Laxalt. In terms of working with the bill within the 
courts, have there been problems in connection with terminology, 
vagueness, and that sort of thing? 

Mr. Tompkins. I can only speak secondhand. I have talked to 
prosecutors who have tried to use the bill, and I know in a previous 
hearing this past fall an assistant U.S. attorney here in the District 
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who was doing a grand jury investigation trying to use the statute 
indicated he had some problems, and he identified several. 

One was with the soK^alled use exempU^n, which is part of sec- 
tion (aX3). The proposed lt^;islation would eliminate the use exemp- 
tion, and I think tliat is one of the clarifying points that is useful. 

However, it still has a phrase ''affects such use," and one sugges- 
tion I have is, the committee joay consider defining what ''a^cts 
such use" means, what that phrase means. 

There also have been press reports of other prosecutors. I know 
one m Denver who was faced with a constitutional challenge when 
she was tiving to prosecute somebody under the existing statute, 
and the defense was asserting that it was unconstitutionaUy vague. 

I do not know whether that ever went anywhere, but there have 
been 

Senator Laxalt. What did the trial court do with it? 
BCr. ToMPKms. I have not heard the outcome. 
Senator Laxalt. OK. 

Mr. ToicPKiNS. But that was a problem that was raised. 

P^^happ I could get to some specific coir ^ients about the pro- 
posed bill, and I will focus on the new provisions that are being 
proposed to be added. 

JAb existing provisions sections (aXD, (aX2), and (aX3) are araended- 
ed m some form by the proposed Illation, and I think the 
amendments are helpfuL Tliey use the phrase "exceeding author- 
ized access instead of the other cumbersome phrase, audit defines 
what that means, which I think is helpful. 

Section (aX2) is also being broadened by including a broader defi- 
nition of financial institution," and I think that is commendable 
^ well. I would note that section (aX2) still does not cover certain 
fmancial records. SpecificaUy, it would not cover corporate finan- 
^ records of a confidential nature that are not stored within one 
of the institutions that is within the definition of "financial institu- 
tion." 

These records, similar to individuals' credit records, are stored in 
weequivalent of corporate credit agencies, such as Dun and Brad- 
atreet, Mood3rs, and other entities. I have, just through conversa- 
tions, discovered that there have been problems with people intrud- 
ing m confidential corporate records which are kept m these kinds 
of agencies. 

That would not be covered by the legislation. I think that is 
somethmg the committee may want to consider as a fiirther broad- 
ening of the act. 

Senator Laxa lt. Do you see any downside to that? 

Mr. Tompkins. The downside would perhaps be, if it was too 
broad, it would maybe give some zealous prosecutors too much au- 
thority or it would open the door to perhaps more litigation than 
the committee intends. 

The other argument is that people can protect themselves and 
why cannot the corporations civilly go after people that intrude on 
theur records. I think that is a partial answer, but I am not sure 
that that should be exempted firom criminal sanction. 

Senator Laxa lt. Give us some suggested language. 

Mr. Tompkins. I will be glad todo that ifl have a little more 
time to come up with something. 
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Senator Laxalt. You can do it on ycur own. We will not tie it to 
the ABA or anybody else. 
Mr. Tompkins. All right. 

Section (aX3), I think, is improved for the reasons I mentioned, 
getting rid of the use exemptipn. That is where the phrase ''affects 
such use'' occurs, and my suggestion would be, to avoid perhaps un- 
necessary and costly litigation over what that phrase means, the 
committee may want to define what ''affects 3uch use" means. 

In a number of State computer crime statutes, "use" is normally 
defined, and "affects such use," if that phrase is used, has been de- 
fined. 

Let me get to section (aX4). That is the . 

Senator Laxalt. Justice, incidentally, has made that same rec- 
ommendation. 
Mr. Tompkins. I concur with that. 

Section (aX4) is the new fraud prorision. I agree with some of the 
comments that Ms. Toensing had about that Specifically, I agree 
that the committee should consider, if not exactly tracking the lan- 
guage of the wire and mail fraud statutes, perhaps modifying the 
language to make it similar to that. 

A second comment on that— the proposed provision would seem 
to require premeditation; that is, the intent to defraud would have 
to be formed before someone accessed improperly a computer. 

There have been instances that we know of where someone im- 
properly accesses a computer, not knowing v/hat they are going to 
find. They find credit card records or other financial information, 
and at that point they decide they are going to use that to defraud 
someone. 

Senator Laxalt. C!ould not the intent be formed at that point? 

Mr. Tompkins. It would be. The wording of the statute would 
seem to say that at the time of the access there has to be an intent 
to defraud. 

Senator Laxalt. And the intent could not be formed later even 
though the original access was innocent? 

Mr. Tompkins. Technically, a literal reading of the statute would 
seem to say that that is not covered if the intent was formed later. 
A wording change to say whether the intent was formed before or 
after — I mean, again, that is an easy modification to make. 

Senator Laxalt. I think you are probably right. If you read it 
technically, the intent to defraud really is tied and linked pretty 
closely, if not totally, to the original access. 

Mr. Tompkins. That is my reading of it as well. 

Senator Laxalt. All right. 

Mr. Tompkins. Section (aX5) is the provision I would like to focus 
on the most. There are a number of comments I have on that. One 
is, the provision covers the alteration of information. I am not sure 
whether it would cover the destruction of information or data. 

Arguably,, "alter'' would include "destroy." Most of the State 
statutes on the subject include the words "alter or destroy/' and I 
would suggest that be added before "information." 

Also, my reading of the provision is that it would not cover the 
destruction or alteration of computer software. Software is normal- 
ly treated differently than the data itself which is in a computer. 
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"Information" normally means the data and not the program, not 
the software that runs it. 

That particular kind of computer crime is one that we identified 
in our report. It was one of the most frequently mentioned types of 
computer crime that affected the people that responded to the 
survey. 

Senator Laxalt. I am glad you raised that because it has never 
been the intent of any of us to exclude software. You think we 
need language, then. Is that what you are saying? 

Mr. Tompkins. Well, my suggestion would be that the phrase— it 
could read "alter or destroy information or computer software"; 
that those words be added to make it clear that that is covered by 
the legislation. 

If you do that, then you probably need to define what you mean 
by ''computer software,*' and there are a number of State statutes 
that define that as well. 

Senator Laxalt. Is there a rather common definition on the 
State level as to what constitutes "software"? 

Mr. Tompkins. I think the definitions are similar and it is being 
used enough now in litigation that coming up with a generally-ac- 
cepted definition should not be tiiat difficult. 

Then later in the provision, it speaks of altering information in 
that computer, thereby causing loss to another of a value aggregat- 
ing $1,000 or more during any 1-year period. 

The question that occurs to me is what about the accessing of 
multiple computers to cause a ]oss aggregating more than $1,000. 
In other words, the way the statute reads, it is specific to "that 
computer" that was acce3sed. 

In a number of cases, someone will do the same scheme, access a 
number of computers, and maybe not cause a loss over $1,000 in 
each computer. But if you add up the losses they incur, they are 
over $1,000. 

So my suggestion would be to say "in such a computer" instead 
of "in that computer" to cover the multiple 

Senator Laxalt. Do you think that would do it? 

Mr. Tompkins. Well, given the few days I have had to think 
about it, that is what occurred to me. 

Senator Laxalt. Well, tell me again now. You would insert it 
where? "Or prevents authorized use of that computer"— you would 
include it there? 

Mr. Tompkins. Instead of the phrase "in that computer," it 
should read "in such a computer." 

Senator Laxalt. Oh, I see, and you would add what, now? How 
would you change the phrase "in that computer?" 

Mr^ Tompkins. With the changes I have talked about before, it 
would read "such conduct alters or destroys information or comput- 
er software in such a computer." 

Senator Laxalt. ''In such a computer." 

Mr. Tompkins. Somebody else with a sharper eye may come up 
with a better phrase than that. 
Senator Laxalt. Yes, all right. We see where you are going. 
Mr. ToBCPKiNs. That is the point, anyway. 
Senator Laxalt. OK. 
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Mr. Tompkins. There is also the question of what about a person 
who accesses a computer and obtains information which allows him 
or her to impose small losses on hundreds or thousands of people. 

The way this is worded, it talks in terms of a loss ''to another" 
and arguably would not include the cases that we know about 
where someone gets in a computer, gets the records of many indi- 
viduals, and causes perhaps $50 in losses to 10,000 people. 
' The argument could be made that this does not cover that. 

Senator Laxalt. Do you think the fraud provisions might? 

Mr. Tompkins. The fraud provisions might, and specifically if it 
were credit card fraud, I think section 1029 would probably cover 
that. What I am thinking of is there are people who are able to 
access computers and destroy similar kinds of software where the 
individual would lose a $50 software program or a $100 software 
program, and do that to a lot of people. 

To avoid the argument that that is not covered by this because 
each individual that is affected has to incur a loss of $1,000, that is 
the point that I am raising. 

Senator Laxalt. All right. 

Mr. Tompkins. My suggestion would be to make it read ''thereby 
causes losses to one or more persons aggr^ating $1,000 or more 
durinjg anv 1-year period." And then you might want to consider 
defining ' person" to include individuals, institutions or Govern- 
ment agenci^ to make clear what that phrase means. 

The committee might also want to consider defining what loss 
encompasses, because that is another pLrase that can be ambigu- 
ous and State statute normally define it. 

Another issue that you might want to consider is there may be 
instances in which the perpetrator improperly gains something of 
value but causes no direct loss to another person. 

For example, if a competitor gains access to the computer records 
of a firm's actual or potential customers or marketing plans, that 
firm may be able to gain substantied income from it, but it may be 
difficult to prove a direct loss to the company that was the vi(itim. 

Again, in a situation like that, perhaps there could be civil recov- 
ery by the victim, but I raise the question of should that conduct 
where the perpetrator gains a lot but there is no provable, direct 
loss to the victim — should that be covered as well in a criminal 
statute? I just raise that as a question. 

Regarding the $1,000 or more loss requirement, as I read the 
analysis that accompanies the bill, the explanation is that that is 
not a jurisdictional amount. In other words, that is a felony and a 
misdemeanor-determining factor and if you do not meet the $1,000, 
then you get kicked back to (aX3), which is the trespass statute. 

As I looked at it, it became apparent to me that the coverage of 
(aX5) is not the same as the coverage of (aX3). In other words, they 
are not coterminous. Specifically, (aX5) covers so-called Federal-in- 
terest computers, and those are defined mean computers exclu- 
sively for the use of a financial institution or the U.S. Government, 
or which is one of two or more computeru used in committing the 
offense not all of which are located in the same State. 

Now, if you do not g&t in under (aX5) because of the $1,000 limit 
and you get, therefore, put back to (aX3), (aX3) applies only to com- 
puters used exclusively by the U.S. Government, or if not exclu- 
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sively used, it is used to some extent by the Government and the 
conduct affects such use. 

I guess the point is it is not really a felony-misdemeanor cutoff. 
It is, in a sense, a jurisdictional cutoff because if you do not make 
it under (aX5), there are instances — for example, if one improperly 
accesses a nongovernment computer across State lines and a $1,000 
loss to another cannot be shown, then in that instance you do not 
fit within either (aX5) or (aX3). 

Senator Laxalt. That is correct, apparently. 

Mr. Tompkins. That is a gap that I think you might want to 
plug. I guess the question might be, if you cannot show a $1,000 
loss, why should we be concerned? I think some of the discussion 
that the Department has made about the $1,000 loss and the diffi- 
culty of proving that applies. 

But there have also been instances, and the Sloan-Kettering 
Cancer Institute is an instance, where there was the infiltration of 
hospital records and the alteration of those records, and that oc- 
curred across State lines. 

You cannot show a $1,000 loss from that directly, but you can 
show that some patients may have been harmed. That is the kind 
of thing that, to me, should be covered. Under the proposal, it 
would not be. 

One way to fix it would be to eliminate the dollar threshold and 
make punishment dependent upon the loss incurred or the value 
obtained, with flexible definitions of each. I think that was the ap- 
proach used in some of the earlier legislation. 

Another way to do it would be to make (aX5) and (aX3) cotermi- 
nous in terms of their scope. 

The final point I would make, and I apologize for going on this 
long, is really a problem and I raise it as something that I do not 
have a clear answer on how it should be dealt with, but maybe it 
could be dealt with in the legislation. That is the so-called Trojan 
horse problem. 

As you probably know, there are computer programs which are 
designed essentially to destroy other computer programs. One par- 
ticularly devious scheme which has been used with some frequency 
is to entice computer owners to accept these program-devouring 
programs without knowing what they are. 

This is often done by advertising these Trojan horse things on 
electronic bulletin boards, describing them as program enhance- 
ments. Once the invitation is accepted, the unsuspecting computer 
owner finds that instefid of enhancing his program, what he has 
gotten off the bulletin board has destroyed his program. 

The problem, of course, is that those losses are, in a way, self- 
inflicted. If the person had not tried to get the program off the bul- 
letin b :drd, he would not have incurred a loss. 

But they are really the result of a trap that has been set for the 
unwary by shrewd and evilminded perpetrators. Those schemes are 
not covered by the existing law and they would not be covered by 
the proposed legislation 

Designing language to encompass those without being too broad 
is a challenge for all of us. I do not have any specific language, but 
I raise that for you and the members of the committee as some- 
thing to be considered. 
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I would ju8t conclude by saying that there are additional sugges- 
tions that could be made in terms of additional definitions — words 
such as ''access" or ''authorization" that could be defined to make 
the statute a little more clear. 

Something that I testified about a couple of times before House 
subcommittees is the addition of civil remedies to a law such as 
this. That has been done in several States, including Vii^ginia, and 
there are arguments on both sides of doing that. 

Senator Laxalt. Has it been helpful? 

Mr. Tompkins. I think the experience in Virginia has been that 
it has been helpful. Given the scarcity of law enforcement re- 
sources, often it provides a means for a civil victim to deal with the 
problem so that law enforcement does not have to get involved. 

The downside of it is, it creates a civil remedy and it adds to the 
litigation and the burdens on the courts. 

Senator Laxalt. Is there no common law remedy? 

Mr. Tompkins. There can be, I think, in some instances, but it is 
not always clear that there is. The common law was not developed 
at a time when computer programs were in operation, so that cre- 
ates a difficulty. 

So the civil remedies thing I would raise again as something to 
be considered. The final point is the issue of concurrent jurisdiction 
and the issuance of guidelines for the exercise of Federal jurisdic- 
tion. 

I know that is something that has been dealt with in some of the 
previous legislative proposals, either putting the guidelines in the 
l^islation or requiring the Attorney General to develop those. 

I think that is worthy of consideration, and I know some of my 
colleagues in the ABA who are State and local prosecutors are very 
concerned about that. 

So, with those comments, I thank you for the privilege of being 
here, and I commend the committee on the work it has done. 

Senator Laxalt. Well, we thank you, Mr. Tompkins. Once again, 
you have been very helpful. I do not know whether there will be a 
need for you to submit anything. We have a record here. If you 
have some additional suggestions, pass them on, and there will be 
some time here before we go to the full committee markup. 

We thank you very much again for your time and attention and 
help. 

Mr. Tompkins. I may be able to do it better in writing than I can 
orally. 

Senator Laxalt. You do very well orally. 
Mr. Tompkins. Thank you. 
Senator Laxalt. Thank you. 

Very well. Our next witness is Mr. John Sponski, who is group 
executive officer at Sovran. Mr. Sponski is also representing the 
views of the Virginia Bankers Association. He testified at the sub- 
committee hearing that I chaired last year. 

You, also, Mr. Sponski, have been enormously helpful to us in 
the formulation of this legislation and particularly these modifica- 
tions. 

Mr. Sponski. Well, thank you, Mr. Chairman. 
Senator Laxalt. Proceed in any manner that you wish. 
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STATEMENT OF JOHN J. SPONSKI, GROUP EXECUTIVE OFFICER, 
SOVRAN FINANCIAL CORP., RICHMOND, VA 

Mr. Sponski. In view of the fact that I did testify before you last 
year and you graciously heard my written statement at that time, 
why do we not just insert that into the record, and what I would 
like to do is just cover some summary points of my comments. 

First of all, I want to point out tliat the Virginia Bankers Asso- 
ciation and Sovran Financial Corp. want to encourage you and 
your committee to speedily pass this legislation. 

The importance to our business of computer systems and 'our 
data bases cannot be sufficiently stated. We have recognized this, 
and for years we have spent considerable funds and taken exten- 
sive measures to attempt to restrict access to our systems. 

But, very frankly, every time we put in a safeguarding measure, 
people who have intentions of intruding into your system, who are 
quite intelligent and very sophisticated, will find some way to get 
around it. 

This is so vital to our business that our concern is the confidence 
of our customers and the privacy of their financial information — 
that their confidence in us as institutions and protectors of that 
private information is being eroded, not nec^sarily because specif- 
ic incidents have V^curred, but because so much is being written 
nowadays about the skill of backers and their opportunity to get 
into ^tems. 

It is absolutely vital that we have effective, simple legislation as 
soon as possible. 

Now, this morning I have heard a couple of things that I want to 
talk about for a moment. I have heard this phrase called "acciden- 
tal access." Frankly, in my mind, there is no such thing as acciden- 
tal access into a computer system or into a date base. 

One could randomly generate a telephone number and acciden- 
tally get into a computer system. But with the safeguards in effect 
at that time, you would have to take a deliberate measure to at- 
tempt to develop what the access code is to allow you to come into 
that computer system. 

Let us say even if you did that accidentally and by some quirk 
your normal access code happened to be also an authorized access 
code in that particular system, that computer system would then 
identify itself to you and you would surely know at that particular 
point that it was not what you were tr3ring to get into. 

If you continue at that particular point, then in my mind you are 
doing it deliberately and not as a case of accident. 

Senator Laxalt. Good point. 

Mr. Sponski. So the statistical probability of an accidental occur- 
rence happening without the intruder being aware of it as an un- 
conscionable act is just nonexistent. 

The second point is cas^v -^erusal. I have heard a lot of com- 
ments today both from the . ce Department and the representa- 
tive from the ABA talkh^ out if you are into the computer 
system, but ^ou do not do i damage to it, or changes less than 
$50, et cetera. 

Casual perusal does as m\xch to jeopardize the confidence of cus- 
tomers and our ability to provide and protect the information that 
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they have entrusted to us. Now, what I mean specifically by casual 
perusal is that someone gets into a system and then literally goes 
in and says, let's see what is in it; let me find out the information 
about, for example, the chairman of our bank — what is he deposit- 
in his account, what type of accounts does he have, et cetera, 
ow, in that case, there has been no transfer of funds; there has 
been no alteration whatsoever of software code or data that is in 
the file. But the intruder is, in fact, using a data base for purposes 
for which it was not intended. He is not an authorized user. 

I think that casual perusal should be treated with as much sever- 
ity as going in and deliberately changing codes or altering financial 
records. 

The last part that we wanted to bring to your attention, and we 
certainly appreciate that the committee is attempting to be respon- 
sive to meeting this threat to our privacy considerations for our 
customers, is that the penalties, I think, have to be significant. 

You recall in October when I testified before you at the time, I 
used the analogy that today, because of legislation that occurred in 
the 1930's, when one robs a bank, it is not a casual occurrence. One 
recognizes that you are taking a very large step when you go and 
rob a bank because Federal l^pslation inunediately requires that 
Federal investigative agencies come into play whenever a bank has 
been robbed. 

Today, looking at the proposed penalties in the bill, I am con- 
cerned if it will really detract the intruders and the hackers from 
coming into the systems. Is there enough teeth in the penalties to 
make the intruder understand that if I am going to play this 
gambit, in fact, it becomes a serious offense and very technically 
capable Federal investigative agencies will come into play in this? 

It is not going to be that somebody in the sheriffs department 
ma^ have this on a part-time basis, or some member of a local 
police department. In fact, the power and the experience and ex- 
pertise of a Federad investigative agency such as the FBI or the 
Secret Service is going to come into play, and this becomes very se- 
rious business. 

So I think that what we are looking for is we recc^ize the Fed- 
eral legislation today which has been in effect for many years has 
not prevented bank robberies by any case, but it certainly has 
made it a very serious offense and I think has discouraged people 
from casually going in and robbing an institution, recognizing the 
implications of that step. 

We think the same thing needs to be applied in the case of these 
intruders and hackers coming into data bases; that that is a very 
serious intrusion into the system. 

That is all I waited to bring to your attention. Senator, and we 
do appreciate that you and your committee are attempting to get 
this legislation passi^ as quickly as you can. 

If there is any question 1 can help you with, with my background 
in data processing as well as bank operations, I would be glad to 
help you or your committee on it. 

Senator liAXALT. Well, we appreciate that greatly. Again, we 
thank you for coming in this morning and offering, as you have in 
the past, some constructive suggestions. We will stay in touch. 

Mr. Sponski. Thank you. Senator. 

[The prepared statement follows:] 
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TBSTIMONY BEFORE 



THE COMKITTEB OH THE JUDICIARY 



UNITED STATES SEHATE 



BY 



JOHH J. SPOHSKI 



GROUP EXECUTIVE OFFICER 



SOVRAH FIHAMCIAI. CORPORATIOH 



Nr. Chalraan and Meabers of the CooMittee: 

My name Is John J. Sponskl. I aa a Group Executive Officer 
within Sovran Financial Corporation with responsibility for 
Operations and Data Processing In Sovran Bank, N.A. Sovran 
Financial Corporation headquartered In Horfolk, Virginia, is 
a Bultl state Financial Institution with banks In Virginia, 
Maryland, and the District of Coluabla. As of Deceaber 31, 
1985,, Sovran Financial Corporation had assets of $13.0 billion. 
Sovran Financial Corporation provides coasMrclal banking and 
related financial services and products to Its custoaers >^'ough 
a network of 357 branc:hes and 297 autoaated teller aachines 
In over ISO coaaunltles in VA, MD, and DC. Sovran Baiik, K.A. 
In Virginia Is a aeaber of the Federal Reserve Systeay a,-d Its 
deposits, which totaled $7.2 Billion as of Deceaber 31, 1985, 
are Insured by the Federal Deposit Insurance Corporation. 

Tliis aomlng I represent not only Sovran financial 
Corporation, but also the 168 aeaber banks of the Virginia aankers 
Association. We strongly support and recoraei d passage of '< ; 4- 
latlon to discourage and deter unauthori- .d access to r- ; use 
of coaputer systeas aalntalned by ?i:^nclal . / "ons. 
Although soae states currently have statutes «hi'-'h provide for 
fines or iaprlsonaent for those residing In tlte state, who access 
and use financial Institution coaputer systens vlthottt aathorX- 
satlon, these aeasures are Inadequate since they do not addyresw 
incursions into systeas originated by Intruders outside a state 
through use of current telec oiaiunl cations technology. 




44 



Sovran Financial Corporation strongly supports Federal 
legislation to coabat the risks of exposure to loss frasi un- 
authorized incursions into our computer systeas by an increasing 
nuBber of people who have the knowledge of and access to tech- 
nology. Siapler and effective legislation is needed, now, to 
discourage and punish onauthorized incursions, particularly, 
when initiated outside a state's boundaries. 

I am confident that the aeiibers of this Cr— i ttee appreciate 
the importance to the Financial Industry of computers and infor- 
■ation data bases. Most products and services provided by 
Financial Institutionie^ could not be provided without coaputers 
and inforaation data bases . Today , aany within the Financla 1 
Industry consider our basic function to be infonation transfer 
to our custoaers rather than just depository/ lending services. 

Through the infonation stored in our data bases we are 
able to provide custcaers with tiaely, reliable infonation 
on their f inancia 1 condition , so they can transfer funds with 
confidence and invest wisely. 

Currently, the value to a Financial Institution of the 
infonation stored in its data bases far exceeds the value of 
its vault cash. In aany ways infonation is aore valuable than 
cash because of its potential for use. Through our infonation 
data bases we aeet our custcaer's financial service needs; analyse 
data for aarketing strategies and prograas; provide various 
reports to regulatory and govemaiental agencies; and, of course, 
maintain our own corporate records. Financial institutions 
to<iay cannot function without tiaely, accurate and detailed 
ioforvntion data bases. 

Soirrftn ^inancial Corporation's use of and reliance on coa- 
puters reiieeta » prevalent condition i- the Financial industry. 
The Sovran ^inajieial Corporation currently has 10,515 eaployees. 
We have over fe.OOO teninals connected to our coaputers* These 
terciinKla a'-w used by our eaployees and our custoaers. Daily, 
w^t 800.090 transactions or requests for infonation are entered 
through these teninals. At present. Sovran has 172-8 Billion 
Bytes of data stored on our disk units. If we were to print 
out this data on co^uter paper with 7,500 characters per page. 
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this would result in a report 3,271 miles long, the distance 
frcB San Diego, California to Acadia, Maine. The information 
we have on our conputer systems is proprietary in the sense 
that it is oars, obtained from oar customers to meet their finan<- 
cial service needs. This information is also private since 
it is about our customers and that most confidential subject 
" their money. In this regard, the information has been entrusted 
to us. 

Recognizing our responsibi lity to saf eguc rd thi s valuable 
asset - information. Sovran Financial Corporation and other 
institutions have in use various means to control access to 
our information data bases. At Sovran we employ a series of 
progressively restrictive access control methods. These measures 
include restricting access to data bases to only those employees 
who must use the information to service customers; requiring 
unique access codes assigned to each terminal user to identify 
and monitor entry to the data bases; requiring quarterly changing 
of access codes; protecting application systems with highly 
structured terminal control systems which limit une of terminals 
to specific ijklividnals, by function, by type of transactions 
and other criteria; by employing dial-back techniques for systoa 
accessible to dial-up terminals ; and lastly, selective use of 
message authentication or encryption of data. These are elaborate 
and expensive measures we have taken to protect this valuable 
asset - information. But the true value in information is its 
use and, consequently, control systems, no matter how effective, 
must permit access to the information for use. 

The most ef f ecti ve way to protect anything of value i s 
to put it into a vault constructed of thick reinforced walls 
with elaborate sensitive alarms. To provide absolute security 
this vault does not have a door - so the valuables cannot be 
removed. This is absolute security. Information stored in 
a data base in such a way as our vault is indeed secure. But 
it is also frankly useless and valueless since it could not 
be accessed for use. 

Sovran Financial Corporatioo and other Financial Institutions 
have installed reasonably effective and practical safeguards 
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for their Information Data Base. Bowever, the rapid advances 
of technology, the extensive development of telecoamnnications 
systems, and the ready availability of powerful microprocessors, 
matched with the increasing knowledge and experience of many 
within our nation about computer systems are eroding our safe- 
guards. Computer 'Backing* is an intellectual challenge for 
many. For those so inclined it has replaced the intricate strate~ 
gies and thought processes of a chess ga 2. niis interest in 
'Beating* an institution*8 access control system will not diminish 
so long as intruders receive notoriety in the mer'ia and verbal 
reprimands from authorities cautioning them to put their talents 
to other applications. 

In 1984* the Computer Crimte Task Torce of the American 
Bar Association surveyed 1«000 private organizations concerning 
the nature and occurrence of computer related crime. Seventy-nine 
percent of the respondents indicated siqiport for a Federal crimi- 
nal statute as needed to combat unauthorised intrusions into 
computer systems. Sovran Financial Corporation and the 168 
member institutions of Virginia Bankers Association are also 
strongly in support of a federal statute which would deal with 
computer intrusions occurring, both Intra and Interstate. 
Intruders are not limited by state boundaries. Low cost long 
distance systems permit an intruder to make their gambit at 
a most reasonable cost. 

A Federal statute imposing imprisonment terms of consequence 
will complement the efforts taken to date and planned by Sovran 
Financial Corporation and other Financial institutions to protect 
aiid restrict access to data. Bat since use coi^ls us to add 
a door to our perf ecTt vault, so also must we provide a door 
to our information systems. Just as it is a violation of a 
Federal statute to rob the vault of a Bank, we believe it should 
also be a violation of a Federal statute to gain entry without 
authorisation to an infotMtion data base; or to misuse an 
information data base when access is authorised ; and most 
certainly when data is altered, added, or deleted within an 
information data base without authorisation. 
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Without a Federal statute to discourage unauthorized entry 
into inf oraatioD data bases , any measures or technique vil 1 r 
as in chess r be countered by a skillf ulr talented and highly 
intelligent Intruder or Backer. Of course, existing Federal 
statutes have not elijiinated bank robberies. But these statutes 
have definitely discouraged a casual attitude toward robbing 
a bank. A Federal statute which requires the intervention of 
Federal Investigative Agencies into incidents of unauthorized 
access to and aisuse of inforvation data files will not eliminate 
every occurrence bat it will certainly increase the penalties 
of the gaae. 

Nr. Chairaan and acKbers of the Ci im i I I r i we know you 
■ust consider and evaluate aony requested Federal statutes; 
but we earnestly request you to act speedily to pass legislation 
to provide an additional aeasureaent of protection to the vital 
infonation data bases and coaputer systems , both in existence 
and under development , in our progressively technologically 
dependent nation. 

Thank you for this opportunity to present the concerns 
and rei i i—i. iid iitions of Sovran Financial Corporation and the 
Virginia Bankers Association. 
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Senator Laxalt. I would like before we close the record to, if 
there is no objection— I do not see any— file a statement by Senator 
Denton for the purposes of the record. 

[The following was received for the record:] 



Mr. Chairman, I strongly support and azn proud to be an original cosponsor of S. 
2281, the Computer Fraud and Abuse Act of 1986. I congratulate and commend my 
distinguished coUeague from Virginia, Senator Trible, for introducing this impor- 
tant legislation, and I thank the chair for its leader^p in expediting committee 
consideration of the bill. 

The rapid evolution of computer technology has required us on several occasions 
to reassess the adequacy of our existing criminal statutes to deal with the novel pat- 
terns of criminal activity made possible by the widespread use (rf* computers. For 
instance, in June 1985, as chainnan of the Senate Judiciary Subcommittee on Secu- 
rity and Terriorism, I chaired a hearing on the use of computers to transmit materi- 
al that incites crime and constitutes interstate transmission of implicitly obscene 
matter. That hearing yielded abundant evidence of various courses of criminal con- 
duct which were difficult or impossible to prosecute under pxigHng law because the 
conduct occurs, in whole or in part, through computer transmissions. 

The bill which is the subject of today's hearing, S. 2281, is intended to deal with 
crimes spawned by the "Computer Age." The bill clarifies and strengthens mailin g 
Federal protections against computer crime and creates new offenses to deal with 
cert; in acts which are not now crimes under Federal law, such as theft by computer 
with the intent to defraud and the intentional destruction of computer property, 
when those offenses are committed on an interstate basis or involve the computers 
of federally insured financial institutions. 

S. 2281 addresses computer crimes which are properly matters of Federal concern. 
The legislation is needed to keep our criminal code relevant to such criminal activi- 
ties, which are made possible by the continually developing technology in the com- 
puter field. I urge my colleages on the Judiciary Committee to report the bill favoi^ 
ably to the full Senate. 

Thank you, Mr. Chairman. 

Senator Laxalt. Very well. We will stand adjourned. Thank you 
all. 

[Whereupon, at 10:41 a.m., the committee was adjourned.] 
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